Best-in-Class Enterprise Risk Management

This paper, authored by Stephen Walker, discusses how ERM activity has been increasing rapidly in recent years due to the relative immaturity of ERM programs at most organizations and the potential negative impacts of not having an ERM program in place.  The need for ERM is currently being driven by several factors: the knowledge that current ERM practices in the financial services sector were inadequate, the failure of siloed risk management to adequately manage systemic risk that aided the economic fall-out, and Standard and Poor’s (S&P’s) introduction of ERM analysis into the corporate credit ratings process.

Less than 30% of companies surveyed have devoted resources to ERM for over five years, but many companies reported significant budgetary investment increases devoted to ERM in the coming year.  The pressure point rated most by respondents driving organizations to invest in resources to improve ERM efforts is the need to better manage and mitigate business, operational, and financial risks on an enterprise-wide basis (49%).  Risk management budgetary decision-making has also been elevated in importance, with the company’s top executives (CFO: 47%; CEO: 46%) having this responsibility.

Best-in-Class ERM Companies

The value of ERM is ultimately tied to the quantifiable results achieved in the organization.  Three key performance indicators (KPIs) were used to measure the progress and success of ERM initiatives.  With respect to these KPIs, Best-in-Class performers fell into the top 20% of aggregate performance scorers, Industry Average performers in the middle 50%, and Laggards in the bottom 30%.  Best-in-Class performers realized a 20% increase in management’s ability to access the company’s current risk status, a 17% increase in clear, timely communication of risks to key stakeholders, and a 13% increase in translating collected risk assessment data into actionable business recommendations.  Industry Average performers realized 2-3% increases in these metrics, while Laggards realized only 1-2% increases in these measures. 

Achieving these Best-in-Class performance improvements requires a combination of strategic actions, organizational capabilities, and enabling technologies and services.  Best-in-Class companies understand the importance to a sustained ERM effort of having a consistent, comprehensive, and measurable risk management framework in place.  This allows for a reliable baseline from which monitoring and measuring can produce performance metrics helping to achieve business goals. 

Best-in-Class companies also employ strategic actions emphasizing operational efficiency, goal-oriented accountability, and the development of a risk-aware organizational culture to continually advance corporate goals throughout the ERM program development.  This allows Best-in-Class companies to implement strategies to converge overlapping or synergistic portions of their risk management and compliance activities and gain operational efficiencies 50% more often than other companies.  With S&P’s introduction of ERM criteria in the evaluation process, companies have more reason than ever to build ERM programs.  In addition to the business-driving, ROI value proposition of an effective ERM program, companies also now have a regulatory reason to address some foundational elements of an ERM framework or renew efforts on existing ERM frameworks.

Benchmarking Requirements for Success

Best-in-Class, Industry Average, and Laggard companies were analyzed for characteristics they shared in five key categories: process, organization, knowledge management, technology, and performance management.  Process refers to embedding processes that incorporate and mitigate risk exposures identified from both reactive and proactive business procedures.  Best-in-Class companies are more than twice as likely as Laggards to establish and enforce consistent risk management policies and procedures across geographies and lines of business.  This helps in the beginning of an ERM program to identify, assess, and prioritize business-relevant risks.  As ERM programs mature, this capability helps companies consistently reprioritize resources and devote them to the most important objectives and processes.  Because of this, Best-in-Class organizations experienced a 9% increase in elimination of redundant risk management processes, a 3.75-fold greater increase than other organizations.

Organization refers to the corporate focus and collaboration among stakeholders.  Best-in-Class companies are twice as likely as other companies to have a central, secure, and accessible repository for risk-related information and 1.5 times more likely to have business leaders advocating a culture of open risk communication.  This combination allows for continuous strategy adjustment in response to a changing spectrum of risks, which enabled Best-in-Class companies to increase the detection of weaknesses in internal risk management processes and controls by 10% and improve their ability to adjust those processes and controls to changes in regulatory requirements and business demands by 11%, outperforming Laggards by ten-fold.

Knowledge management involves contextualizing data and exposing it to key stakeholders.  Best-in-Class companies are more than 1.75 times as likely as Laggards to have senior management actively involved with establishing and embedding the overall strategic direction of the company’s risk management philosophy and more than twice as likely to task a responsible executive with primary ownership of the ERM program.  Executive involvement enables full-circle communication and proactive progress towards achievement of critical business goals and an ability to make necessary changes to communication and decision-making hierarchies.

Technology examines the selection of appropriate tools and effective deployment of those tools.  Best-in-Class companies are more than twice as likely as Laggards to incorporate analytics and tools to monitor risk-based KPIs on the achievement of enterprise-wide objectives and 1.5 times more likely to employ technologies facilitating complete and readily retrievable audit trail records.  Having these technologies in place allowed Best-in-Class companies to improve their documentation to show regulators and ratings agencies the level of sophistication and maturity of their ERM programs by 13%, a tenfold greater improvement than other companies in this area.

Performance management refers to the ability of the organization to measure their results to improve their business.  Best-in-Class companies are 1.8 times more likely than Laggards to employ consistent process prioritization assessments to ensure the most business-relevant risk management processes are monitored most frequently.  They are more than nine times as likely to use self-audit metrics for each business unit to measure risk management progress against established milestones.  These capabilities allow companies to establish risk-centric performance baselines that allow for adjusting corporate strategies and activities to ensure predetermined thresholds remain intact, escalating identification, prioritization, and remediation of problem areas, and tracking improvements in risk management functions by mapping current performance against established baselines.

Required Actions for ERM Performance Improvements

No matter how sophisticated a company’s ERM program is, there are steps that can be taken to further improve ERM in the organization.  Laggards should distribute established risk management policies, practices, and thresholds to employees on an enterprise-wide basis to facilitate the risk-based organizational culture essential to effective ERM programs.  They should also immediately incorporate a central, secure, and accessible repository for risk-related information as this is a foundational building block that can help drive a risk-centric mentality throughout the organization.

Industry Average performers should make sure senior management is actively involved with establishing and embedding the overall strategic direction of the company’s risk management philosophy as organizational buy-in is critical to realizing the company’s overall goals and aligning the goals of different levels of an organization.  Corporate objectives and company business goals should be routinely communicated to risk teams and process owners for consistent mapping back to established risk parameters.  This helps focus and prioritize the most business-critical and fiscally-relevant risk management activities.

Best-in-Class companies should accelerate the incorporation of additional business intelligence analytics and tools to monitor KPIs and key risk indicators.  This can assist in gleaning important, relevant data from large volumes of information.  Analytic tools like dashboards can help by relaying pertinent knowledge to the individual who can capitalize on its availability.

Original Article Source: “Enterprise Risk Management: The Art of Avoiding Unpleasant Surprises,” Stephen Walker, 2009.